Android Trojan called Joker signs users up for premium subscriptions

• Researchers have discovered a new Trojan called Joker on Google Play. This Trojan has been detected in 24 Android apps with more than 472,000 downloads in total.
• It harvests sensitive data such as contact lists, text messages, and device information. Joker Trojan is also known to sign users up for premium subscriptions.

A new Android malware called Joker, that hides behind the advertisement framework of the compromised apps, has been found to be active since early June. It signs users up for premium subscriptions and steals personal data. A total of 24 Play Store apps, including ones with over 100,000 downloads, have been found to be infected with this malware.

How does it operate?

• The Joker Trojan downloads a second-stage component to the device. This component simulates automated interaction on advertisement sites and harvests sensitive data including text messages and contacts.
• With access to text messages, this Trojan extracts codes from authorization messages to subscribe users to premium services.

All the harvested data is encrypted and sent to the command-and-control server.

Targeted areas

Many of the Joker-infected apps primarily target European and Asian countries. It has also been discovered that most of these apps have an additional check to ensure that the payload doesn’t execute when running in the US or Canada.

CSIS Security Group announced,“The full list of 37 targeted countries includes: Australia, Austria, Belgium, Brazil, China, Cyprus, Egypt, France, Germany, Ghana, Greece, Honduras, India, Indonesia, Ireland, Italy, Kuwait, Malaysia, Myanmar, Netherlands, Norway, Poland, Portugal, Qatar, Republic of Argentina, Serbia, Singapore, Slovenia, Spain, Sweden, Switzerland, Thailand, Turkey, Ukraine, United Arab Emirates, United Kingdom and United States.” They have also released the list of indicators of compromise.

The compromised apps contain a set of Mobile Country Codes. The country code of the potential victim’s SIM card is compared with this list. If it matches, Joker goes ahead and downloads the second-stage malicious component.

Worth noting

Google is continuously weeding out all the infected apps from the Play Store. However, it is recommended that Android users grant app permissions only after verifying them for each app they download.